JC17 Rec'd PCT/PTO Q 3 MAY 2001 



FORM PTO-1390 US DEPARTMENT OF COMMERCE 
REV. 5-93PATENT AND TRADEMARK OFFICE 

TRANSMITTAL LETTER TO THE UNITED STATES 
DESIGNATED/ELECTED OFFICE (DO/EO/US) 
CONCERNING A FILING UNDER 35 U.S.C. 371 


ATTORNEYS DOCKET NUMBER 

P01,0142 


U.S. APPLICATION NO. (if known, see 37 CFR 1.5) 

09/8VffH6 


INTERNATIONAL APPLICATION NO. 

PCT/DE99/03262 


INTERNATIONAL FILING DATE 

11 OCTOBER 1999 


PRIORITY DATE CLAIMED 

03 NOVEMBER 1998 


TITLE OF 'N^TgN ARRANGEMENT FOR AUTHENTICATING A FIRST ENTITY AND A SECOND ENTITY 


APPLICANT(S) FOR DO/EO/US 

Martin EUCHNER 



Applicant herewith submits to the United States Designated/Elected Office (DO/EO/US) the following items and other information: 
2. 



This is a FIRST submission of items concerning a filing under 35 U.S.C. 371 . 
^. ^ . This is a SECOND or SUBSEQUENT submission of items concerning a filing under 35 U.S.C. 371 . 
3. a I"* This express request to begin national examination procedures (35 U.S.C. 371 (f)) at any time rather than delay. 
a ?h A proper Demand for Internationa] Preliminary Examination was made by the 1 9th month from the earliest claimed priority date. 



4. h 
5 



ll A copy of international Application as filed (35 U.S.C. 371(c)(2)). 

: =- 1 a. Ei is transmitted herewith (required only if not transmitted by the International Bureau). 

- b. □ has been transmitted by the international Bureau. 

Q c. □ is-not required, as the application was filed in the United States Receiving Office (RO/US) 

6. ei Jll a translation of the International Application into English (35 U.S.C. 371 (c)(2). 



7. hQ Amendments to the claims of the International Application under PCT Article 19 (35 U.S.C. §371 (c)(3)) 

Ld a. □ are transmitted herewith (required only if not transmitted by the International Bureau). 
^ b. □ have been transmitted by the International Bureau. 

c. □ have not been made; however, the time limit for making such amendments has NOT expired. 
i sa * d. a have not been made and will not be made. 

8. □ *~ A translation of the amendments to the claims under PCT Article 19 (35 U.S.C. 371(c)(3)). 

9. a An oath or declaration of the inventor(s) (35 U.S.C. 371 (c)(4)). 

10. a A translation of the annexes to the International Preliminary Examination Report under PCT Article 36 (35 U.S.C. 371(c)(5)). 
Items 11. to 16. below concern other document(s) or information included: 

11. a An Information Disclosure Statement under 37 C.F.R. 1.97 and 1.98; (PTO 1449, Prior Art, Search Report, 11 References). 

12. a 1 ' An assignment document for recording. A separate cover sheet in compliance with 37 C.F.R. 3.28 and 3.31 is included. 

(SEE ATTACHED ENVELOPE) 

1 3. h Amendment "A" Prior to Action and Appendix "A". 

□ A SECOND or SUBSEQUENT preliminary amendment. 

14. a A substitute specification and substitute specification mark-up. 

15. □ A change of address letter attached to the Declaration. 

1 6. e Other items or information: 

a. a Submission of Drawings 

b. h EXPRESS MAIL #EL 843728288 US dated May 3, 2001 



JCISRec'd PCT/PTC 0 3 MAY 2001 



U.S.APPL,CAT10NNO^if Wf9f 37/F fH .5 LTg| ~ i / INTERNATIONAL APPLICATION NO ATTORNEYS DOCKET NUMBER 

F19 / 1 (14b PCT/DE99/03262 P01,0142 


17. a The following fees are submitted: 

BASIC NATIONAL FEE (37 C.F.R. 1.492(a)(1)-(5): 

Search Report has been prepared by the EPO or JPO $860.00 

International preliminary examination fee paid to USPTO (37 C.F.R 1 .482) $690 00 

No international preliminary examination fee paid to USPTO (37 C.F.R. 1.482) but international search 
fee paid to USPTO (37 C F R. 1 .445(a)(2) $71 0.00 

* Neither international preliminary examination fee (37 C.F.R. 1 482) nor international search fee (37 
C.F.R. 1.445(a)(2) paid to USPTO $1000.00 

International preliminary examination fee paid to USPTO (37 C F R. 1 482) and all claims satisfied 
provisions of PCT Article 33(2)-(4) $ 100 00 

ENTER APPROPRIATE BASIC FEE AMOUNT = 


CALCULATIONS | PTO USE ONLY 


$ 860.00 




Surcharge of $130.00 for furnishing the oath or declaration later than □ 20 □ 30 months from the earliest 

^l^imaH niwifv Hate (9.7 PFR 1 AQ?(&\\ 


$ 




Clai^ras 


Number Filed 


Number 
Extra 


Rate 






Total'Claims 


10 -20 = 


0 


XS 18.00 


$ 




Independent Claims 


03 -3 = 


0 


X$ 80.00 


$ 




MulfiBle Deoendent Claim* 




$270.00 + 


$ 




± TOTAL OF ABOVE CALCULATIONS = 


$ 860.00 




Redaction by VSt for filing by small entity, if applicable. Verified Small Entity statement must also be filed. (Note 37 
C.F.R:4.9, 1.27, 1.28) 


$ 




III SUBTOTAL = 


$ 860.00 




Processing fee of $130.00 for furnishing the English translation later than □ 20 □ 30 months from the earliest 
clainSS priority date (37 CFR 1 .492(f)) + 


$ 




\2 TOTAL NATIONAL FEE = 


$ 860.00 




Fee for recording the enclosed assignment (37 C.F R. 1.21(h). The assignment must be accompanied by an 
appropriate cover sheet (37 C.F.R. 3 28, 3.31) $40 00 per property + 






TOTAL FEES ENCLOSED = 


$ 860.00 






Amount to be 
refunded 


$ 


charged 


I $ 



A check in the amount of $ 860.00 to cover the above fees is enclosed. 



b. □ Please charge my Deposit Account No. in the amount of $ to cover the above fees. 

A duplicate copy of this sheet is enclosed. 

c. h The Commissioner is hereby authorized to charge any additional fees which may be required, or credit any overpayment to 

Deposit Account No. 50-1519 . A duplicate copy of this sheet is enclosed. 

NOTE: Where an appropriate time limit under 37 C.F.R. 1.494 or 1.495 has not been met, a petition to revive (37 C.F.R. 1.137(a) or (b)) must be filed and granted to 
restore the application to pending status. 

SEND ALL CORRESPONDENCE TO 

SCHIFF HARDIN & WAITE 
PATENT DEPARTMENT 
6600 Sears Tower 
233 South Wacker Drive 
Chicago, Illinois 60606-6473 



SIGNATURE - MARK BE#GNER (Reg. No. 45,877) 



Date: May 3, 2001 



CUSTOMER NUMBER 26574 



09/ 831 046 



JC18Rec'dPCT/PTO 0 3 MAY 2001 

BOX PCT 

IN THE UNITED STATES DESIGNATED/ELECTED OFFICE 
OF THE UNITED STATES PATENT AND TRADEMARK OFFICE 
UNDER THE PATENT COOPERATION TREATY-CHAPTER II 

PRELIMINARY AMENDMENT A 
PRIOR TO ACTION 

APPLICANT(S): Martin EUCHNER 

ATTORNEY DOCKET NO.: P01 ,0142 

INTERNATIONAL APPLICATION NO: PCT/DE99/03262 

INTERNATIONAL FILING DATE: 1 1 OCTOBER 1999 

INVENTION: METHOD AND ARRANGEMENT FOR 

AUTHENTICATING A FIRST ENTITY AND A SECOND 
ENTITY 



Assistant Commissioner for Patents, 
Washington D.C. 20231 

Sir: 

Applicants herewith amend the above-referenced PCT application, and 
request entry of the Amendment prior to examination on the United States 
Examination Phase. 

IN THE CLAIMS : 

On amended page 12: 

replace line 1 with -WHAT IS CLAIMED IS:-; 

Please replace original claims 1-8 with the following rewritten claims 1-8, 
referring to the mark-ups in Appendix A. 

1 . (Amended) An authenticating method, comprising the steps of: 
carrying out a first operation A(x,g) on a prescribed known value g and on a 

value x known only to a first entity, said first operation A(x,g) being an asymmetric 

cryptographic method, thus producing a first operation result; 

encoding said first operation result utilizing a first key, which is known to said 

first and to a second entity, said encoding being carried out with said first key 

utilizing a symmetrical encoding method, thus producing an encoded first operation 
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result, said first operation result being a second code with which said first entity is 
authorized to undertake a service on said second entity; 

transmitting said encoded first operation result by said first entity to said 
second entity; 

decoding said encoded first operation result by said second entity with said 
first key, and the first entity is thereby authenticated; 

determining said second key in relation to G(gxy), by said second entity 
carrying out a second operation G(gy) with a secret number y known only to it; 

encoding a result of said second operation with said first key; and 

transmitting said encoded second operation result to said first entity. 

2. (Amended) The method as claimed in claim 1 , wherein said first operation 
A(g,x) is a Diffie-Hellman function (G(gx)), G() being an arbitrary, finite cyclic group 
G; and said first operation is an RSA function xg. 

3. (Amended) The method as claimed in claim 1 , wherein said first operation 
is carried out on a group G selected from the group consisting of: 

a) a multiplicative group p* of a finite body p q , in particular having 

a multiplicative group Z* of the integers modulo of a prescribed 
prime number p; 

a multiplicative group p* with t = 2m over a finite body p t of 
characteristic 2; 

a group of units 2 n with n as a composite integer; 

b) a group of points on an elliptic curve over a finite body; and 

c) a Jacobi variant of a hyperelliptic curve over a finite body. 

4. (Amended) The method as claimed in claim 3, wherein said second key is 
a session key or an authorization associated with an application. 



-2- 



Preliminary Amendment A 



5. (Amended) The method as claimed in claim 1 , wherein the Diffie-Hellman 
method is used to generate said second key. 

6. (Amended) The method as claimed in claim 1 , wherein said encoding is 
5 carried out with said first key utilizing a one-way function. 

7. (Amended) The method as claimed in claim 1, wherein said transmitted 
data are confidential data. 

io 8. (Amended) An authenticating arrangement comprising a processor unit 

Q configured to execute the method of claim 1 . 

Please add the following new claims 9 and 10. 
□ 9- (New) The method according to claim 6, wherein said one-way function is 

rfc a cryptographic one-way function. 

;U 10- (New) An authenticating method, comprising the steps of: 

carrying out a first operation A(x,g), using a processor of a first entity, on a 

l :j prescribed known value g and on a value x known only to said first entity, said first 

j-J operation A(x,g) being an asymmetric cryptographic method, thus producing a first 

20 operation result; 

encoding said first operation result utilizing a first key, which is known to said 
first and to a second entity, said encoding being carried out with said first key 
utilizing a symmetrical encoding method by said processor of said first entity, thus 
producing an encoded first operation result, said first operation result being a 

25 second code with which said first entity is authorized to undertake a service on said 
second entity; 

transmitting said encoded first operation result by said first entity to said 
second entity via a communication bus connected to said processor of said first 
entity and connected to a processor of said second entity; 
30 decoding said encoded first operation result by said second entity with said 

first key using said processor of said second entity, and the first entity is thereby 
authenticated; 
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determining said second key in relation to G(gxy), by said second entity 
carrying out a second operation G(gy) with a secret number y known only to it; 
encoding a result of said second operation with said first key; and 
transmitting said encoded second operation result to said first entity via said 
5 communication bus. 



conform to United States patent practice, before examination of the present PCT 

10 application in the United States National Examination Phase. Pursuant to 37 CFR 

J 1 .125 (b), applicants have concurrently submitted a substitute specification, 

•f* excluding the claims, and provided a marked-up copy. All of the changes are 

M editorial and applicant believes no new matter is added thereby. The amendment, 

| addition, and/or cancellation of claims is not intended to be a surrender of any of the 

% subject matter of those claims. 



REMARKS 



The present Amendment revises the specification and claims to 



Early examination on the merits is respectfully requested. 
Submitted by, 




25 



Schiff Hardin & Waite 

Patent Department 

6600 Sears Tower 

233 South Wacker Drive 

Chicago, Illinois 60606-6473 

(312)258-5779 

Attorneys for Applicant 



CUSTOMER NUMBER 26574 
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Appendix A 
Mark Ups for Claim Amendments 

This redlined draft, generated by CompareRite (TM) - The Instant Redliner, shows the differences 
5 between - 

original document : Q:\DOCUMENTS\YEAR 2001\P01 0142\ORIGINAL CLAIMS.DOC 
and revised document: Q:\DOCUMENTS\YEAR 2001\P010142\AMENDED CLAIMS.DOC 

CompareRite found 47 change(s) in the text 

10 

Deletions appear as Overstrike text surrounded by [] 
Additions appear as Bold-Underline text 

1 . (Amended) An authenticating method, comprising the steps of: 
carrying [a) in which a first e ntity carries] out a first operation A(x,g) on a 
is prescribed known value g and on a value x known only to {the} a first entity, {the} 
□ said first operation A(x,g) being an asymmetric cryptographic method , thus 

producing a first operation results 
I™ [b) i n wh i ch tho roeult of th o ] encoding said first operation [is e ncod e d with 

th e a i d of] result utilizing a first key, which is known to {the} said first and to a 
rip second entity, {the} said encoding being carried out with {the} said first key [with th e 

aid of] utilizing a symmetrical encoding method , thus producing an encoded first 

operation result, saidk 
UJ c) in wh i ch th e r e su l t of th e ] first operation [ e ncod e d with the first key i s 

transmitt e d by th e first ent i ty to tho] result being a second code with which said 
25 first entity is authorized to undertake a service on said second entity; 

fafHEfl transmitting said encoded first operation result by said first entity 

to said second entity; 

[d) in which th e r e sult of th e f i rst I decoding said encoded first operation fte 
d e cod e d] result by {the} said second entity with {the} said first key, and the first 

30 entity is thereby authenticated; 

[ e ) in which tho r e sult of th e first operation is a second codo w i th which th e 
f i rst e ntity is author i zed to undertak e a service on th e s e cond e nt i ty; 

f) in wh i ch th e s e cond k e y i s determin e d in r e lat i on toG(gxy), 
by virtue of tho fact that th e second e ntity carri e s] determining said second 
35 key in relation to G(gxv). by said second entity carrying out a second operation 
G(gy) with a secret number y known only to it [, e ncodes th o fc 
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encoding a result of {this} said second operation with {the} said first key {af»4 
transmits it to thol : and 

transmitting said encoded second operation result to said first entity. 

2. (Amended) The method as claimed in claim 1 , [in wh i ch th e ] wherein 
said first operation A(g,x) [ 

a)J is a Diffie-Hellman function (G(gx)), G() being an arbitrary, finite cyclic 
group G; and said first operation {b)J is an RSA function xg. 

3. (Amended) The method as claimed in [on e of th e prec e ding claims, in 
which the] claim 1, wherein said first operation is carried out on a group Gy 
selected from the group [G b e ing on e of th e following groups] consisting of : 

a) a multiplicative group p* of a finite body P q , in particular having 

a multiplicative group ]7 p of the integers modulo of a prescribed prime 
number p; 

a multiplicative group p t with t = 2m over a finite body p t of 
characteristic 2; 

a group of units 2 n with n as a composite integer; 

b) a group of points on an elliptic curve over a finite body; and 

c) a Jacobi variant of a hyperelliptic curve over a finite body. 

4. (Amended) The method as claimed in [th e pr e ceding c l aim, i n wh i ch th e ] 
claim 3, wherein said second key is a session key or an authorization associated 
with an application. 

5. (Amended) The method as claimed in [ono of tho procoding c l aims, in 
which] claim 1, wherein the Diffie-Hellman method is used to generate {the} said 
second key. 
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6. (Amended) The method as claimed in [on e of the pr e c e ding claims, in 
which tho] claim 1, wherein said encoding is carried out with fthej said first key 
[with tho aid of] utilizing a one-way function [, in particular a cryptographic one way 
function.] . 

Pt 47. (Amended) The method as claimed in [on e of th e pr e ceding claims, in 
which tho] claim 1, wherein said transmitted data are confidential data. 

8. (Amended) An authenticating arrangement [in which] comprising a 
processor unit [is provided which is set up in such a way that a method as claimed in 
one of the preceding claims can be carried out.] configured to execute the method 
of claim 1. 
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This redlined draft, generated by CompareRite (TM) - The Instant Redliner, shows the differences 
between - 

original document : Q:\DOCUMENTS\YEAR 2001\P010142\ORIGINAL SPECIFICATION.DOC 
and revised document: Q:\DOCUMENTS\YEAR 2001\P010142\SUBSTITUTE SPECIFICATION.DOC 

5 

CompareRite found 120 change(s) in the text 

Deletions appear as Overstrike text surrounded by Q 
Additions appear as Bold-Underline text 
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rDoscriptionl SPECIFICATION 

[Method and arrangem e nt for auth e nticating a f i rst e ntity and a second e nt i ty] TITLE 

METHOD AND ARRANGEMENT FOR AUTHENTICATING A FIRST ENTITY AND A SECOND 

ENTITY 

15 BACKGROUND OF THE INVENTION 

Field of the Invention 

f00021 The invention relates to a method and an arrangement for authenticating a first entity 

with a second entity and/or vice versa. 

Description of the Related Art 

20 r00031 During an authentication, a first entity declares to a second entity reliably that it 

actually is the first entity. There is a corresponding need in the transmission of (confidential) data to 
ensure from whom [said] the data actually originate. 

r00041 A symmetrical encoding method is known from {f4fl Christoph Ruland: 

Informationssicherheit in Datennetzen flnformation security in data networks!, DATACOM- 

25 Verlag, Bergheim 1993, ISBN 3-89238-081-3. (Ruland), pages 42-46 . In the symmetric encoding 
method, a key is used both for the encoding and for the decoding. An attacker who comes into 
possession of such a key can transform a plain text (the information to be encoded) into encoded text, 
and vice versa. The symmetrical encoding method is also called private key method or method with a 
secret key. A known algorithm for symmetrical encoding is the DES (data encryption standard) 

30 algorithm. It was standardized in 1 974 under ANSI X3.92-1 981 . 

f00051 An asymmetrical encoding method is known from ff2ft Ruland, pages 73-85 . In this 

case, a subscriber is not assigned a single key, but a key system composed of two keys: one key 
maps the plain text into a transformed one, while the other key permits the inverse operation and 
converts the transformed text into plain text. Such a method is termed asymmetric^ because the two 
35 parties participating in a cryptographic operation use different keys (of a key system). One of the two 
keys, for example a key p, can be made publicly known, if the following properties are fulfilled: 

r00061 - It is not possible to derive from the key p with a justifiable outlay^ a secret key 
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s required for the inverse operation. 

f00071 - Even if plain text is transformed with the (public) key p, it is not possible to 

derive the (secret) key s [th e rofrom. 

tfrom it. 

5 r0008] For this reason, the asymmetric encoding method is also termed a public key method 

with a key p which can be made known publicly. 

[00091 It is possible in principle to derive the secret key s from the public key p. However, 

this becomes arbitrarily complicated by virtue of the fact, in particular, that algorithms are selected 
which are based on problems in complexity theory. These algorithms are also spoken of as "one-way 
10 trapdoor" functions. A known representative for an asymmetric encoding method is the Diffie-Heilman 
method {£§]} A. Menezes, P. v. Oorschot S. Vanstone: Handbook of Applied Cryptography: CRC 
Press 1996, ISBN 0-8493-8523-7: chapter 12.6 (pp. 515-524) (Menezes) . This method can be used, 
in particular, for key exchange (Diffie-Hellman key agreement, exponential key exchange). 

r00101 The term encoding implies the general application of a cryptographic method V(x,k), 

15 in which a prescribed input value x (also termed plain text) is converted by means of a secret k (key) 
into an encoded text c: = V(x,k). The plain text x can be reconstructed using knowledge of c and k by 
means of an inverse decoding method. The term encoding is also understood as "one-way encoding" 
with the property that there is no inverse, efficiently calculable decoding method. Examples of such a 
one-way encoding method are { 

20 ]a cryptographic one-way function or a cryptographic hash function, for example the algorithm SHA-1 , 
see {[4^ 

1 NIST, FIPS PUB 180-1: Secure Hash Standard, April 1995, available on-line at 
http://csrc.nist.gov/fips/fip180-1.ps. 

r0011l There is a problem in practice [that i t must b e e nsured] of ensuring that a public key 

25 which is used to verify an electronic signature really is the public key of the person who is assumed to 
be the originator of the transmitted data (ensuring the authenticity of the originator). The public key 
therefore need not be kept secret, but it must be authentic. There are known mechanisms (see f[3})J 
Ruland at pages 101-117) which ensure with a high outlay that the authenticity is reliable. Such a 
mechanism is the setting up of [what is ca l l e d] a trust center, which enjoys trustworthiness and with 
30 the aid of which general authenticity is ensured. The setting up of such a trust center, and the 

exchange of the keys from this trust center are, however, very complicated. For example, it must be 
ensured during the key allocation that it really is the addressee and not a potential attacker who 
receives the key or the keys. The costs for setting up and operating the trust center are 
correspondingly high. 



35 SUMMARY OF THE INVENTION 

r00121 It is the object of the invention to ensure authentication ];, th e r e b e ing no n ee d] 

without needing to invest in a separate outlay for a certification entity or a trust center. 
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[00131 This object is achieved [ i n aocordanco with th e f e atures of tho independent patent 

cla i ms. D e v e lopm e nts of th e i nv e nt i on fol l ow from th e dep e nd e nt c l aims.1 according to the 
discussion below. 

fin ordor to achiovo tho obioct, a1 f00141 The inventive method for [auth e ntifying] authenticating a 
5 first entity with a second entity is [specifi e d,] provided in which the first entity { 

Jcarries out an operation A(x,g) on a (publicly) prescribed known value g and on a value x known only 
to the first entity. The result of the first operation is encoded with the aid of a first key, which is known 
to the first and second entities. The result of the first operation, encoded by [means] way of the first 
key, is transmitted by the first entity to the second entity. 

10 1*00151 It is particularly advantageous in this case {for} to use [to b e made of] a symmetrical 

method in order to authenticate one entity in the eyes of a further entity. This authentication is effected 
without setting up a separate certification entity or a trust center. 

r001 61 One refinement consists in that the first operation A(x,g) is an asymmetric 

cryptographic method. In particular, the first operation can be carried out on an arbitrary finite and 
15 cyclic group G. 

[00171 A further refinement consists in that the first operation A(x,g) is a Diffie-Hellman 

function G(gx). Alternatively, the first operation can also be an RSA function xg. 

F001 81 A development consists in that the group G is one of the following groups: 

1*00191 a) a multiplicative group P q of a finite body P q , in particular having 

20 f00201 a multiplicative group 2 P °f the integers modulo of a prescribed prime number p; 

[00211 a multiplicative group p t with t = 2m over a finite body P t of characteristic 2; and 

f00221 a group of units 2 n with n as a composite integer; 

r00231 b) a group of points on an elliptic curve over a finite body; and 

[00241 c) a Jacobi variant of a hyperelliptic curve over a finite body. 

25 r00251 A further development consists in that the result of the first operation is a second key 

with which the first entity is authorized to undertake a service on the second entity. 

r00261 An additional refinement consists in that the second key is a session key or an 

authorization associated with an application. 

f00271 It also is a development for the second key to be determined in relation to 

30 r00281 G(gxy), 

r00291 by virtue of the fact that the second entity carries out an operation G(gy) with a secret 

number y known only to it. The result of this second operation is encoded with the first key and 
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transmitted to the first entity. 

r00301 An additional development consists in that the Diffie-Hellman method is used to 

generate the second key. 

r0031l Another refinement consists in that the encoding is carried out with the first key with 

5 the aid of a one-way function, in particular a cryptographic one-way function. A one-way function is 
distinguished in that it is easy to calculate in one direction, [wh e r e as] but its inversion can be 
performed only with so large an outlay that [this possibility can be n e gi e ct o d in practic e ] it is 
impractical . An example of such a one-way function is a cryptographic hash function which 
generates an output B from an input A. The output B cannot be used to infer the input A, even when 
10 the algorithm of the hash function is known. 

r00321 Another development is that the encoding which is carried out with the first key 

corresponds to a symmetrical encoding method. 

Finally, it i s ai r00331 A final development is that the transmitted data are confidential data. 

r00341 Furthermore, to achieve the object, an authenticating arrangement is specified in 

15 which a processor unit is provided which is set up in such a way that 

f00351 a) a first entity can carry out a first operation A(x,g) on a prescribed known value 

g and on a value x known only to the first entity; 

r00361 b) the result of the first operation can be encoded with the aid of a first key 

known to the first and to a second entity; 

20 r00371 c) the result of the first operation encoded with the first key can be transmitted 

by the first entity to the second entity; and 

f00381 d) the result of the first operation is decoded by the second entity with the first 

key, and the first entity can thereby be authenticated. 

[00391 This arrangement is particularly suitable for carrying out the method according to the 

25 invention or one of its developments explained above. 

Brief Description of the Drawings 

r00401 Exemplary embodiments of the invention are illustrated and explained below with the 

aid of the [drawing.] drawings. 

[In th e drawing: 

30 Fig. 1 shows a skotchi r0041l Fig. 1 is a block diagram relating to the agreement of a 

common key between two entities whose respective authenticity is ensured in each 
case; 

r00421 Fig. 2 [shows a sketch] is a block diagram in accordance with fig. 1 and using the 
DES algorithm; and 

35 r00431 Fig. 3 [shows] is a block diagram of a processor unit. 
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DETAILED DESCRIPTION OF THE INVENTION 

F00441 Fig. 1 is a [sk e tch] diagram relating to the agreement of a common key between two 

entities whose respective authenticity is ensured in each case. An entity A 101 selects a random 
number x in a body "mod p-1" (see block 103). The entity 101 now sends an entity 102 a message 
5 104 which has the following format: 

F00451 g, p, T A , ID a , gx mod p, H(g x mod p, fPWJgw, ID A) T A , ...), 

r00461 where 

x denotes a secret random value of the entity A 1 01 , 

y denotes a secret random value of the entity B 102, 

10 g denotes a generator according to the Diffie-Heliman method, 

p denotes a prime number for the Diffie-Heliman method, 

T A denotes a time stamp of the entity A during generation and/or transmission of the 
message, 

T B denotes a time stamp of the entity B during generation and/or transmission of the 
15 message, 

ID A denotes an identification feature of the entity A, 

ID B denotes an identification feature of the entity B, 

g x mod p denotes a public Diffie-Heliman key of the entity A, 

g y mod p denotes a public Diffie-Heliman key of the entity B, 

20 fPW} gw denotes a shared secret between the entities A and B (password "shared 

secret"), 

H(M) denotes a cryptographic one-way function (hash function) over the parameters M, 
and 

[KEY] key denotes a session key common to the two entities A and B. 

25 r00471 If this message has arrived at the entity 102, a random number y is selected there 

(see block 105) from the body "mod p-1" and a common key is agreed to in a block 106 as 

{*4E¥J£00481 key = g xy mod p. 

r00491 The second entity 1 02 transmits a message 1 07 with the format 

r00501 TB, ID B , g y mod p, H(g y mod p, fPWJfiw, ID B , T Bf ...) 

30 r00511 to the first entity 101. The first entity 1 01 will [thoroupon] then carry out the operation 

{KEYJI00521 key = g xy mod p 

f00531 in a step 108, this likewise yielding the common key |KEY 4"kev". 
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[It may b e point e d out e xpr e ssly inl TO0541 in this case {that}, for example, the body "mod p-1" 
has been selected as one of many possibilities. Furthermore, the messages 104 and 107 are [to b e ] 
regarded in each case as one possibility of many. In particular, the fields for addressing within the 
messages depend on the application and/or the transmission protocol used. 

5 F00551 A cryptographic one-way hash function H is used in {&§} Fi£. 1 . An example for 

transmitting such a one-way hash function is the SHA-1 algorithm (compare {{4})} NIST. FIPS PUB 
180-1: Secure Hash Standard, April 1995; available on-line at http://csrc.nist.gov/fips/fip180- 
1-ps) . The use of a symmetrical encoding method, for example the DES algorithm {{§]} NIST, FIPS 
PUB 81: PES Modes of Operation, December 1980: available on-line at 
10 http://www.itl.nist.gov/div897/pubs/fip81.htm , instead of the one-way hash function H, is illustrated 
•n {fig} Fjfl. 2. The blocks 1 01 , 1 02, 1 03, 1 05, 1 06 and 1 08 are identical in {fi§^ Rfl. 2 to [fig. 1] Fig, 1 . 
The message 201 transmitted by the first entity 101 to the second entity 102 has the format 

r00561 g, p, T A , I Da, g x mod p, [ENCPW(gx] Encr P W fg x mod p, {PW} £w, ID Al T A) ...), 

r00571 where 

15 [ENCPW(M)i r00581 Encr P W (M) denotes a symmetrical method for encoding the parameter M 
with the key PW. 

r00591 In the reverse direction, the entity 102 sends the entity 101 in fig. 2 the message 202 

which has the following format: 

r00601 TB, ID B , g y mod p, [ENCPW(gy] Encr P w(g y mod p, PW, IDB, TB, ...). 

20 [It may bo remarked h e r e , in particular, that i ni r00611 ]n each case 2 one message (the message 
1 04 in {£§} Fia. 1 , and the message 201 in {fig} Fig. 2) suffices in order to authenticate the first entity 
101 with respect to the second entity {202} 102. Disregarding the fact that the second entity 102, for 
example A a service to be undertaken within a network connection^} (for example the Internet^}! must 
also be authenticated, it can suffice if only the first entity 101 is authenticated. This already [obtains] 

25 derives after transmission of the respective first messages 104 and 201 . If, in particular, the first 

entity 101 dials in at the second entity 102, it is frequently to be assumed that this second entity 102 is 
also the correct entity. Conversely, the second entity 102 must be able to assume that the caller (the 
first entity 101) is also the one for which it is outputting. Checking authenticity is therefore important in 
this direction, from the first entity 101 to the second entity 102. 

30 r00621 Fig. 3 illustrates a processor unit PRZE. The processor unit PRZE comprises a 

processor CPU, a memory SPE and an input/output interface IOS which {is} are used in various ways 
via an interface IFC. Via a graphics interface, an output is visualized on a monitor MON and/or output 
on a printer PRT. An input is performed via a mouse MAS or a keyboard TAST. The processor unit 
PRZE also has a data bus BUS, which ensures the connection of a memory MEM, the processor 

35 CPUj and the input/output interface IOS. Furthermore, additional components, for example 2 additional 
memory, data memory (hard disk) or scanner, can be connected to the data bus BUS. 

[List of rofor o ncos:]£ 00631 The above-described method and arrangement are illustrative of 
the principles of the present invention. Numerous modifications and adaptations will be 
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readily apparent to those skilled in this art without departing from the spirit and scope of the 
present invention. 
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Abstract 

M e thod and arrangem e nt for authent i cating a first e ntity and a second e nt i ty 

^ 5 lf00641 In order to authenticate a first entity at a second entity, a first number is generated by 

[m e ans] way of an asymmetric cryptographic method. This first number is symmetrically encoded and 
transmitted to the second entity. The second entity checks the first number by decoding the second 
number and thereby authenticates the first entity. 
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SPECIFICATION 
TITLE 

METHOD AND ARRANGEMENT FOR AUTHENTICATING A FIRST ENTITY AND A 

SECOND ENTITY 

BACKGROUND OF THE INVENTION 

Field of the Invention 

[0001] The invention relates to a method and an arrangement for 

authenticating a first entity with a second entity and/or vice versa. 

Description of the Related Art 

[0002] During an authentication, a first entity declares to a second entity 

reliably that it actually is the first entity. There is a corresponding need in the 
transmission of (confidential) data to ensure from whom the data actually originate. 

[0003] A symmetrical encoding method is known from Christoph Ruland: 

Informationssicherheit in Datennetzen [Information security in data networks], 
DATACOM-Verlag, Bergheim 1993, ISBN 3-89238-081-3, (Ruland), pages 42-46. In 
the symmetric encoding method, a key is used both for the encoding and for the 
decoding. An attacker who comes into possession of such a key can transform a 
plain text (the information to be encoded) into encoded text, and vice versa. The 
symmetrical encoding method is also called private key method or method with a 
secret key. A known algorithm for symmetrical encoding is the DES (data encryption 
standard) algorithm. It was standardized in 1974 under ANSI X3.92-1981. 

[0004] An asymmetrical encoding method is known from Ruland, pages 73- 
85. In this case, a subscriber is not assigned a single key, but a key system 
composed of two keys: one key maps the plain text into a transformed one, while the 
other key permits the inverse operation and converts the transformed text into plain 
text. Such a method is termed asymmetric because the two parties participating in a 
cryptographic operation use different keys (of a key system). One of the two keys, 
for example a key p, can be made publicly known, if the following properties are 
fulfilled: 

[0005] - It is not possible to derive from the key p with a justifiable outlay; 
a secret key s required for the inverse operation. 
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[0006] - Even if plain text is transformed with the (public) key p, it is not 
possible to derive the (secret) key s from it. 

[0007] For this reason, the asymmetric encoding method is also termed a 
public key method with a key p which can be made known publicly. 

5 [0008] It is possible in principle to derive the secret key s from the public key 

p. However, this becomes arbitrarily complicated by virtue of the fact, in particular, 
that algorithms are selected which are based on problems in complexity theory. 
These algorithms are also spoken of as "one-way trapdoor" functions. A known 
representative for an asymmetric encoding method is the Diffie-Hellman method A. 
10 Menezes, P. v. Oorschot, S. Vanstone: Handbook of Applied Cryptography; CRC 
Press 1996, ISBN 0-8493-8523-7; chapter 12.6 (pp. 515-524) (Menezes). This 
method can be used, in particular, for key exchange (Diffie-Hellman key agreement, 
exponential key exchange). 

[0009] The term encoding implies the general application of a cryptographic 
15 method V(x,k), in which a prescribed input value x (also termed plain text) is 

converted by means of a secret k (key) into an encoded text c: = V(x,k). The plain 
text x can be reconstructed using knowledge of c and k by means of an inverse 
decoding method. The term encoding is also understood as "one-way encoding" with 
the property that there is no inverse, efficiently calculable decoding method. 
20 Examples of such a one-way encoding method are a cryptographic one-way function 
or a cryptographic hash function, for example the algorithm SHA-1 , see NIST, FIPS 
PUB 180-1: Secure Hash Standard, April 1995, available on-line at 
http://csrc.nist.gov/fips/fip180-1 .ps. 

[0010] There is a problem in practice of ensuring that a public key which is 

2 5 used to verify an electronic signature really is the public key of the person who is 

assumed to be the originator of the transmitted data (ensuring the authenticity of the 
originator). The public key therefore need not be kept secret, but it must be 
authentic. There are known mechanisms (see Ruland at pages 101-1 17) which 
ensure with a high outlay that the authenticity is reliable. Such a mechanism is the 

3 0 setting up of a trust center, which enjoys trustworthiness and with the aid of which 

general authenticity is ensured. The setting up of such a trust center, and the 

exchange of the keys from this trust center are, however, very complicated. For 

example, it must be ensured during the key allocation that it really is the addressee 
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and not a potential attacker who receives the key or the keys. The costs for setting 
up and operating the trust center are correspondingly high. 

SUMMARY OF THE INVENTION 

[001 1] It is the object of the invention to ensure authentication without needing 

5 to invest in a separate outlay for a certification entity or a trust center. 

[0012] This object is achieved according to the discussion below. 

[001 3] The inventive method for authenticating a first entity with a second 

entity is provided in which the first entity carries out an operation A(x,g) on a 
(publicly) prescribed known value g and on a value x known only to the first entity. 
io The result of the first operation is encoded with the aid of a first key, which is known 
to the first and second entities. The result of the first operation, encoded by way of 
the first key, is transmitted by the first entity to the second entity. 

[0014] It is particularly advantageous in this case to use a symmetrical 

method in order to authenticate one entity in the eyes of a further entity. This 
15 authentication is effected without setting up a separate certification entity or a trust 
center. 

[001 5] One refinement consists in that the first operation A(x,g) is an 

asymmetric cryptographic method. In particular, the first operation can be carried out 
on an arbitrary finite and cyclic group G. 

20 [001 6] A further refinement consists in that the first operation A(x,g) is a Diffie- 
Hellman function G(gx). Alternatively, the first operation can also be an RSA function 
xg. 

[001 7] A development consists in that the group G is one of the following 
groups: 

25 [0018] a) a multiplicative group p* of a finite body p q , in particular having 

[0019] a multiplicative group 2* of the integers modulo of a prescribed prime 
number p; 

[0020] a multiplicative group p[ with t = 2m over a finite body p t of 
characteristic 2; and 

[0001] - 3 - Substitute Specification 



[0021] a group of units 2L n w ' th n as a composite integer; 

[0022] b) a group of points on an elliptic curve over a finite body; and 

[0023] c) a Jacobi variant of a hyperelliptic curve over a finite body. 

[0024] A further development consists in that the result of the first operation is 

5 a second key with which the first entity is authorized to undertake a service on the 
second entity. 

[0025] An additional refinement consists in that the second key is a session 
key or an authorization associated with an application. 

[0026] It also is a development for the second key to be determined in relation 

10 to 

[0027] G(gxy), 

[0028] by virtue of the fact that the second entity carries out an operation 
G(gy) with a secret number y known only to it. The result of this second operation is 
encoded with the first key and transmitted to the first entity. 

15 [0029] An additional development consists in that the Diffie-Hellman method 
is used to generate the second key. 

[0030] Another refinement consists in that the encoding is carried out with the 

first key with the aid of a one-way function, in particular a cryptographic one-way 
function. A one-way function is distinguished in that it is easy to calculate in one 
20 direction, but its inversion can be performed only with so large an outlay that it is 

impractical. An example of such a one-way function is a cryptographic hash function 
which generates an output B from an input A. The output B cannot be used to infer 
the input A, even when the algorithm of the hash function is known. 

[0031] Another development is that the encoding which is carried out with the 

2 5 first key corresponds to a symmetrical encoding method. 

[0032] A final development is that the transmitted data are confidential data. 

[0033] Furthermore, to achieve the object, an authenticating arrangement is 

specified in which a processor unit is provided which is set up in such a way that 

[0034] a) a first entity can carry out a first operation A(x,g) on a prescribed 

3 o known value g and on a value x known only to the first entity; 
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[0035] b) the result of the first operation can be encoded with the aid of a 

first key known to the first and to a second entity; 

[0036] c) the result of the first operation encoded with the first key can be 
transmitted by the first entity to the second entity; and 

[0037] d) the result of the first operation is decoded by the second entity 
with the first key, and the first entity can thereby be authenticated. 

[0038] This arrangement is particularly suitable for carrying out the method 
according to the invention or one of its developments explained above. 

Brief Description of the Drawings 

[0039] Exemplary embodiments of the invention are illustrated and explained 

below with the aid of the drawings. 

[0040] Fig. 1 is a block diagram relating to the agreement of a common key 
between two entities whose respective authenticity is ensured in each 
case; 

[0041] Fig. 2 is a block diagram in accordance with fig. 1 and using the DES 

algorithm; and 
[0042] Fig. 3 is a block diagram of a processor unit. 

DETAILED DESCRIPTION OF THE INVENTION 

[0043] Fig. 1 is a diagram relating to the agreement of a common key 
between two entities whose respective authenticity is ensured in each case. An 
entity A 101 selects a random number x in a body "mod p-1" (see block 103). The 
entity 101 now sends an entity 102 a message 104 which has the following format: 

[0044] g, p, T A , I Da, gx mod p, H(g x mod p, pw, I Da, T a , •••). 

[0045] where 

x denotes a secret random value of the entity A 1 01 , 

y denotes a secret random value of the entity B 1 02, 

g denotes a generator according to the Diffie-Hellman method, 

p denotes a prime number for the Diffie-Hellman method, 
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T A denotes a time stamp of the entity A during generation and/or 

transmission of the message, 

T B denotes a time stamp of the entity B during generation and/or 

transmission of the message, 

5 I D A denotes an identification feature of the entity A, 

ID B denotes an identification feature of the entity B, 

g x mod p denotes a public Diffie-Hellman key of the entity A, 

g y mod p denotes a public Diffie-Hellman key of the entity B, 

pw denotes a shared secret between the entities A and B 

10 (password "shared secret"), 

H(M) denotes a cryptographic one-way function (hash function) over 

the parameters M, and 

key denotes a session key common to the two entities A and B. 

[0046] If this message has arrived at the entity 1 02, a random number y is 

15 selected there (see block 105) from the body "mod p-1" and a common key is 
agreed to in a block 1 06 as 

[0047] key = g xy mod p. 

[0048] The second entity 102 transmits a message 107 with the format 

[0049] TB, ID B , g y mod p, H(g y mod p, pw, ID B , T B , -) 

2 0 [0050] to the first entity 101 . The first entity 101 will then carry out the 
operation 

[0051] key = g xy mod p 

[0052] in a step 108, this likewise yielding the common key "key". 

[0053] In this case, for example, the body "mod p-1" has been selected as 

25 one of many possibilities. Furthermore, the messages 104 and 107 are regarded in 
each case as one possibility of many. In particular, the fields for addressing within 
the messages depend on the application and/or the transmission protocol used. 

[0054] A cryptographic one-way hash function H is used in Fig. 1 . An example 
for transmitting such a one-way hash function is the SHA-1 algorithm (compare 
[0001] - 6 - Substitute Specification 



NIST, FIPS PUB 180-1: Secure Hash Standard, April 1995; available on-line at 
http://csrc.nist.gov/fips/fip180-1.ps). The use of a symmetrical encoding method, for 
example the DES algorithm NIST, FIPS PUB 81: DES Modes of Operation, 
December 1980; available on-line at http://www.itl.nist.gov/div897/pubs/fip81.htm, 
instead of the one-way hash function H, is illustrated in Fig. 2. The blocks 101, 102, 
103, 105, 106 and 108 are identical in Fig. 2 to Fig. 1. The message 201 transmitted 
by the first entity 101 to the second entity 102 has the format 

[0055] g, p, T A> ID A , g x mod p, Encr PW (g x mod p, pw, ID A , T A , ...), 

[0056] where 

[0057] Encrpw(M) denotes a symmetrical method for encoding the 

parameter M with the key PW. 

[0058] In the reverse direction, the entity 102 sends the entity 101 in fig. 2 the 

message 202 which has the following format: 

[0059] TB, ID B , g y mod p, Encr PW (g y mod p, PW, IDB, TB, ...). 

[0060] In each case, one message (the message 104 in Fig. 1 , and the 
message 201 in Fig. 2) suffices in order to authenticate the first entity 101 with 
respect to the second entity 102. Disregarding the fact that the second entity 102, for 
example, a service to be undertaken within a network connection (for example the 
Internet) must also be authenticated, it can suffice if only the first entity 101 is 
authenticated. This already derives after transmission of the respective first 
messages 104 and 201 . If, in particular, the first entity 101 dials in at the second 
entity 102, it is frequently to be assumed that this second entity 102 is also the 
correct entity. Conversely, the second entity 102 must be able to assume that the 
caller (the first entity 101) is also the one for which it is outputting. Checking 
authenticity is therefore important in this direction, from the first entity 101 to the 
second entity 102. 

[0061] Fig. 3 illustrates a processor unit PRZE. The processor unit PRZE 

comprises a processor CPU, a memory SPE and an input/output interface IOS 
which are used in various ways via an interface IFC. Via a graphics interface, an 
output is visualized on a monitor MON and/or output on a printer PRT. An input is 
performed via a mouse MAS or a keyboard TAST. The processor unit PRZE also 
has a data bus BUS, which ensures the connection of a memory MEM, the 
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processor CPU, and the input/output interface IOS. Furthermore, additional 
components, for example, additional memory, data memory (hard disk) or scanner, 
can be connected to the data bus BUS. 

[0062] The above-described method and arrangement are illustrative of the 

principles of the present invention. Numerous modifications and adaptations will be 
readily apparent to those skilled in this art without departing from the spirit and 
scope of the present invention. 
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ABSTRACT 

[0063] In order to authenticate a first entity at a second entity, a first number is 

generated by way of an asymmetric cryptographic method. This first number is 
symmetrically encoded and transmitted to the second entity. The second entity 
checks the first number by decoding the second number and thereby authenticates 
the first entity. 
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Description 

Method and arrangement for authenticating a first 
entity and a second entity 

5 

The invention relates to a method and an 
arrangement for authenticating a first entity with a 
second entity and/or vice versa. 

During an authentif ication, a first entity 

10 declares to a second entity reliably that it actually 
is the first entity. There is a corresponding need in 
the transmission of (confidential) data to ensure from 
whom said data actually originate. 

A symmetrical encoding method is known from 

15 [1] . In the symmetric encoding method, a key is used 
both for the encoding and for the decoding. An attacker 
who comes into possession of such a key can transform a 
plain text (the information to be encoded) into encoded 
text, and vice versa. The symmetrical encoding method 

20 is also called private key method or method with a 
secret key. A known algorithm for symmetrical encoding 
is the DES (data encryption standard) algorithm. It was 
standardized in 1974 under ANSI X3. 92-1981. 

An asymmetrical encoding method is known from 

25 [2] . In this case, a subscriber is not assigned a 
single key, but a key system composed of two keys: one 
key maps the plain text into a transformed one, while 
the other key permits the inverse operation and 
converts the transformed text into plain text. Such a 

30 method is termed asymmetric, because the two parties 
participating in a cryptographic operation use 
different 
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keys (of a key system) . One of the two keys, for 
example a key p, can be made publicly known, if the 
following properties are fulfilled: 

It is not possible to derive from the key p 
5 with a justifiable outlay a secret key s 

required for the inverse operation. 
Even if plain text is transformed with the 
(public) key p, it is not possible to derive 
the (secret) key s therefrom. 
10 For this reason, the asymmetric encoding method 

is also termed a public key method with a key p which 
can be made known publicly. 

It is possible in principle to derive the 
secret key s from the public key p. However, this 
15 becomes arbitrarily complicated by virtue of the fact, 
in particular, that algorithms are selected which are 
based on problems in complexity theory. These 
algorithms are also spoken of as "one-way trapdoor" 
functions. A known representative for an asymmetric 
20 encoding method is the Dif f ie-Hellman method [6] . This 
method can be used, in particular, for key exchange 
(Dif f ie-Hellman key agreement, exponential key 
exchange) . 

The term encoding implies the general 
25 application of a cryptographic method V(x,k), in which 
a prescribed input value x (also termed plain text) is 
converted by means of a secret k (key) into an encoded 
text c: = V(x,k). The plain text x can be reconstructed 
using knowledge of c and k by means of an inverse 
30 decoding method. The term encoding is also understood 
as "one-way encoding" with the property that there is 
no inverse, efficiently calculable decoding method. 
Examples of such a one-way encoding method are 
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a cryptographic one-way function or a cryptographic 
hash function, for example the algorithm SHA-1, see 
[4] . 

There is a problem in practice that it must be 
5 ensured that a public key which is used to verify an 
electronic signature really is the public key of the 
person who is assumed to be the originator of the 
transmitted data (ensuring the authenticity of the 
originator) . The public key therefore need not be kept 

10 secret, but it must be authentic. There are known 
mechanisms (see [3]) which ensure with a high outlay 
that the authenticity is reliable. Such a mechanism is 
the setting up of what is called a trust center, which 
enjoys trustworthiness and with the aid of which 

15 general authenticity is ensured. The setting up of such 
a trust center, and the exchange of the keys from this 
trust center are, however, very complicated. For 
example, it must be ensured during the key allocation 
that it really is the addressee and not a potential 

20 attacker who receives the key or the keys. The costs 
for setting up and operating the trust center are 
correspondingly high. 

It is the object of the invention to ensure 
authentication, there being no need to invest in a 

25 separate outlay for a certification entity or a trust 
center . 

This object is achieved in accordance with the 
features of the independent patent claims. Developments 
of the invention follow from the dependent claims. 
30 In order to achieve the object, a method for 

authentifying a first entity with a second entity is 
specified, in which the first entity 
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carries out an operation A(x,g) on a (publicly) 
prescribed known value g and on a value x known only to 
the first entity. The result of the first operation is 
encoded with the aid of a first key, which is known to 
5 the first and second entities. The result of the first 
operation, encoded by means of the first key, is 
transmitted by the first entity to the second entity. 

It is particularly advantageous in this case 
for use to be made of a symmetrical method in order to 
10 authenticate one entity in the eyes of a further 
entity. This authentication is effected without setting 
up a separate certification entity or a trust center. 

One refinement consists in that the first 
operation A(x,g) is an asymmetric cryptographic method, 
15 In particular, the first operation can be carried out 
on an arbitrary finite and cyclic group G. 

A further refinement consists in that the first 
operation A(x,g) is a Dif f ie-Hellman function G(g x ). 
Alternatively, the first operation can also be an RSA 
2 0 function x g . 

A development consists in that the group G is 
one of the following groups: 

a) a multiplicative group F* of a finite body F q , in 

particular having 
25 • a multiplicative group Z* of the integers modulo 

of a prescribed prime number p; 

• a multiplicative group F* with t = 2 m over a 

finite body F t of characteristic 2/ 

• a group of units Z* with n as a composite 

30 integer; 

b) a group of points on an elliptic curve over a 
finite body; and 
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c) a Jacobi variant of a hyperelliptic curve over a 
finite body. 

A further development consists in that the 
result of the first operation is a second key with 
5 which the first entity is authorized to undertake a 
service on the second entity. 

An additional refinement consists in that the 
second key is a session key or an authorization 
associated with an application. 
10 It also is a development for the second key to 

be determined in relation to 

G(g* y ) , 

15 by virtue of the fact that the second entity carries 
out an operation G(g y ) with a secret number y known 
only to it. The result of this second operation is 
encoded with the first key and transmitted to the first 
entity. 

20 An additional development consists in that the 

Dif f ie-Hellman method is used to generate the second 
key. 

Another refinement consists in that the 
encoding is carried out with the first key with the aid 

25 of a one-way function, in particular a cryptographic 
one-way function. A one-way function is distinguished 
in that it is easy to calculate in one direction, 
whereas its inversion can be performed only with so 
large an outlay that this possibility can be neglected 

30 in practice. An example of such a one-way function is a 
cryptographic hash function which generates an output B 
from an input A. The output B cannot be used to infer 
the input A, 
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even when the algorithm of the hash function is known. 

Another development is that the encoding which 
is carried out with the first key corresponds to a 
symmetrical encoding method. 
5 Finally, it is a development that the 

transmitted data are confidential data. 

Furthermore, to achieve the object, an 
authenticating arrangement is specified in which a 
processor unit is provided which is set up in such a 
10 way that 

a) a first entity can carry out a first operation 
A(x,g) on a prescribed known value g and on a 
value x known only to the first entity; 

b) the result of the first operation can be 
15 encoded with the aid of a first key known to 

the first and to a second entity; 

c) the result of the first operation encoded with 
the first key can be transmitted by the first 
entity to the second entity; and 

20 d) the result of the first operation is decoded by 

the second entity with the first key, and the 
first entity can thereby be authenticated. 
This arrangement is particularly suitable for 
carrying out the method according to the invention or 
25 one of its developments explained above. 

Exemplary embodiments of the invention are 
illustrated and explained below with the aid of the 
drawing . 
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In the drawing: 
Fig. 1 shows a sketch relating to the agreement of a 

common key between two entities whose 

respective authenticity is ensured in each 
5 case; 

Fig. 2 shows a sketch in accordance with fig. 1 and 

using the DES algorithm; and 
Fig. 3 shows a processor unit. 

Fig. 1 is a sketch relating to the agreement of 
10 a common key between two entities whose respective 
authenticity is ensured in each case. An entity A 101 
selects a random number x in a body "mod p-1" (see 
block 103) . The entity 101 now sends an entity 102 a 
message 104 which has the following format: 

15 

g, p, T A , ID A , g* mod p, H(g x mod p, PW, ID A , T A , . ..), 



where 

x denotes a secret random value of the 

20 entity A 101, 

y denotes a secret random value of the 

entity B 102, 

g denotes a generator according to the 

Dif f ie-Hellman method, 
25 p denotes a prime number for the Diffie- 

Hellman method, 
T A denotes a time stamp of the entity A 

during generation and/or transmission of 
the message, 

30 T B denotes a time stamp of the entity B 

during generation and/or transmission of 
the message, 

ID A denotes an identification feature of the 

entity A, 

35 ID B denotes an identification feature of the 

entity B, 

g x mod p denotes a public Dif f ie-Hellman key of 
the entity A, 
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g y mod p denotes a public Dif f ie-Hellman key of 
the entity B, 

PW denotes a shared secret between the 

entities A and B (password "shared 
5 secret") , 

H (M) denotes a cryptographic one-way function 

(hash function) over the parameters M, 
and 

KEY denotes a session key common to the two 

10 entities A and B. 

If this message has arrived at the entity 102, a random 
number y is selected there (see block 105) from the 
body "mod p-1" and a common key is agreed in a block 
106 as 



15 



20 



KEY = g xy mod p. 

The second entity 102 transmits a message 107 
with the format 

T B , ID B , g y mod p, H(g Y mod p, PW, ID B , T B/ --.) 



to the first entity 101. The first entity 101 will 
thereupon carry out the operation 

25 

KEY = g xy mod p 



in a step 108, this likewise yielding the common key 
KEY . 

30 It may be pointed out expressly in this case 

that, for example, the body "mod p-1" has been selected 
as one of many possibilities. Furthermore, the messages 
104 and 107 are to be regarded in each case as one 
possibility of many. In particular, the fields for 

35 addressing within the messages depend on the 
application and/or the transmission protocol used. 
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A cryptographic one-way hash function H is used 
in fig. 1. An example for transmitting such a one-way 
hash function is the SHA-1 algorithm {compare [4]). The 
use of a symmetrical encoding method, for example the 
5 DES algorithm [5], instead of the one-way hash function 
H, is illustrated in fig. 2. The blocks 101, 102, 103, 
105, 106 and 108 are identical in fig. 2 to fig. 1. The 
message 201 transmitted by the first entity 101 to the 
second entity 102 has the format 

10 

g, p, T A , ID A , g x mod p, ENC PW (g x mod p, PW, ID A/ T A , ...), 
where 

ENCp W (M) denotes a symmetrical method for 
15 encoding the parameter M with the key 

PW. 

In the reverse direction, the entity 102 sends 
the entity 101 in fig. 2 the message 202 which has the 
following format: 

20 

Tg, ID b , g y mod p, ENC PW (g y mod p, PW, ID B , T B , . . . ) ■ 

It may be remarked here, in particular, that in 
each case one message (the message 104 in fig. 1, and 

25 the message 201 in fig. 2) suffices in order to 
authenticate the first entity 101 with respect to the 
second entity 202. Disregarding the fact that the 
second entity 102, for example a service to be 
undertaken within a network connection, for example the 

30 Internet, must also be authenticated, it can suffice if 
only the first entity 101 is authenticated. This 
already obtains after transmission of the respective 
first messages 104 and 201. If, in particular, the 
first entity 101 dials in at the second entity 102, it 

35 is frequently to be assumed that this second 
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entity 102 is also the correct entity. Conversely, the 
second entity 102 must be able to assume that the 
caller (the first entity 101) is also the one for which 
it is outputting. Checking authenticity is therefore 
5 important in this direction, from the first entity 101 
to the second entity 102. 

Fig, 3 illustrates a processor unit PRZE. The 
processor unit PRZE comprises a processor CPU, a memory 
SPE and an input/output interface IOS which is used in 

10 various ways via an interface IFC. Via a graphics 
interface, an output is visualized on a monitor MON 
and/or output on a printer PRT . An input is performed 
via a mouse MAS or a keyboard TAST . The processor unit 
PRZE also has a data bus BUS, which ensures the 

15 connection of a memory MEM, the processor CPU and the 
input/output interface IOS. Furthermore, additional 
components, for example additional memory, data memory 
(hard disk) or scanner, can be connected to the data 
bus BUS. 
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Patent claims 



1. An authenticating method, 

a) in which a first entity carries out a first 
operation A(x f g) on a prescribed known value g and 
on a value x known only to the first entity, the 
first operation A(x,g) being an asymmetric 
cryptographic method; 

b) in which the result of the first operation is 
encoded with the aid of a first key, which is 
known to the first and to a second entity, the 
encoding being carried out with the first key with 
the aid of a symmetrical encoding method; 

c) in which the result of the first operation encoded 
with the first key is transmitted by the first 
entity to the second entity; and 

d) in which the result of the first operation is 
decoded by the second entity with the first key, 
and the first entity is thereby authenticated; 

e) in which the result of the first operation is a 
second code with which the first entity is 
authorized to undertake a service on the second 
entity; 

f) in which the second key is determined in relation 
to 

G(g xy ), 

by virtue of the fact that the second entity 
carries out a second operation G(g y ) with a secret 
number y known only to it, encodes the result of 
this second operation with the first key and 
transmits it to the first entity. 
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2. The method as claimed in claim 1, in which the 
first operation A(g,x) 

a) is a Dif f ie-Hellman function (G(g x ), G() being an 
arbitrary, finite cyclic group G; and 

b) is an RSA function x g . 

3. The method as claimed in one of the preceding 
claims, in which the first operation is carried out on 
a group G, the group G being one of the following 
groups : 

a) a multiplicative group F* of a finite body F q/ in 
particular having 

• a multiplicative group Z* of the integers modulo 

of a prescribed prime number p; 

• a multiplicative group F* with t = 2 m over a 

finite body F t of characteristic 2; 

• a group of units with n as a composite 

integer; 

b) a group of points on an elliptic curve over a 
finite body; and 

c) a Jacobi variant of a hyperellipt ic curve over a 
finite body. 

4. The method as claimed in the preceding claim, 
in which the second key is a session key or an 
authorization associated with an application. 

5. The method as claimed in one of the preceding 
claims, in which the Dif f ie-Hellman method is used to 
generate the second key. 

6. The method as claimed in one of the preceding 
claims, in which the encoding is carried out with the 
first key with the aid of a one-way function, in 
particular a cryptographic one-way function. 
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7 . The method as claimed in one of the preceding 
claims, in which the transmitted data are confidential 
data . 

8. An authenticating arrangement in which a 
processor unit is provided which is set up in such a 
way that a method as claimed in one of the preceding 
claims can be carried out. 
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Abstract 

Method and arrangement for authenticating a first 
entity and a second entity 

In order to authenticate a first entity at a 
second entity, a first number is generated by means of 
an asymmetric cryptographic method. This first number 
is symmetrically encoded and transmitted to the second 
entity. The second entity checks the first number by 
decoding the second number and thereby authenticates 
the first entity. 
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Declaration and Power of Attorney For Patent Application 
Erklarung Fur Patentanmeldungen Mit Vollmacht 

German Language Declaration 



Als nachstehend benannter Erfinder erklare ich hiermit 
an Eides Start: 



dass mein Wohnsitz, meine Postanschrift, und meine 
Staatsangehdrigkeit den im Nachstehenden nach 
meinem Namen aufgefuhrten Angaben entsprechen, 



dass ich, nach bestem Wissen der ursprungliche, erste 
und aileinige Erfinder (falls nachstehend nur ein Name 
angegeben ist) Oder ein ursprunglicher, erster und 
Miterfinder (falls nachstehend mehrere Namen 
aufgefuhrt sind) des Gegenstandes bin, fur den dieser 
Antrag gestelit wird und fur den ein Patent beantragt 
wird fur die Erfindung mit dem Titel: 

Verfahren und Anordnung zur 



Authentication von einer ersten 



Instanz und einer zweiten Instanz 



deren Beschreibung 

(zutreffendes ankreuzen) 

hier beigefijgt ist. 
[X] am 11.10.1999 ais 
PCT internationale Anmeldung 

PCT Anmeldungsnummer 

eingereicht wurde und am . 



PCT/DE99/03262 



abgeandert wurde (falls tatsachlich abgeandert). 



Ich bestatige hiermit, dass ich den Inhalt der obigen 
Patentanmeldung einschliesslich der Anspriiche 
durchgesehen und verstanden habe, die eventuell 
durch einen Zusatzantrag wie oben erwahnt abgean- 
dert wurde. 



Ich erkenne meine Pflicht zur Offenbarung irgendwel- 
cher Informationen, die fur die Prufung der vorliegen- 
den Anmeldung in Einklang mit Absatz 37, Bundes- 
gesetzbuch, Paragraph 1.56(a) von Wichtigkeit sind, 
an. 



Ich beanspruche hiermit auslandische Prioritatsvorteile 
gemass Abschnitt 35 der Zivilprozessordnung der 
Vereinigten Staaten, Paragraph 119 aller unten ange- 
gebenen Auslandsanmeldungen fur ein Patent oder 
eine Erfindersurkunde, und habe auch alle Auslands- 
anmeldungen fur ein Patent oder eine Erfindersurkun- 
de nachstehend gekennzeichnet, die ein Anmelde- 
datum haben, das vor dem Anmeldedatum der 
Anmeldung liegt, fur die Prioritat beansprucht wird. 



As a below named inventor, I hereby declare that: 



My residence, post office address and citizenship are 
as stated below next to my name, 



I believe i am the original, first and sole inventor (if only 
one name is listed below) or an original, first and joint 
inventor (if plural names are listed below) of the 
subject matter which is claimed and for which a patent 
is sought on the invention entitled 



Method and array for authenticating a 
first instance and a second instance 



the specification of which 

(check one) 

□ is attached hereto. 

El was filed on 11.10.1999 



as 



PCT international application 

PCT Application No. PCT/DE99/03262 

and was amended on 



(if applicable) 



I hereby state that I have reviewed and understand the 
contents of the above identified specification, including 
the claims as amended by any amendment referred to 
above. 



I acknowledge the duty to disclose information which is 
material to the examination of this application in 
accordance with Title 37, Code of Federal Regulations, 
§1. 56(a). 



I hereby claim foreign priority benefits under Title 35, 
United States Code, §119 of any foreign application^) 
for patent or inventor's certificate listed below and have 
also identified below any foreign application for patent 
or inventor's certificate having a filing date before that 
of the application on which priority is claimed: 
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Patent and Trademark Office-U.S. DEPARTMENT OF COMMERCE 





German Language Declaration 


Prior foreign appplications 
Prioritat beansprucht 




Priority Claimed 


19850665.1 DE 

(Number) (Country) 
(Nummer) (Land) 


03.11.1998 M [~l 
(Day Month Year Filed) Yes No 
(Tag Monat Jahr eingereicht) Ja Nein 


(Number) (Country) 
(Nummer) (Land) 


□ □ 

(Day Month Year Filed) Yes No 
(Tag Monat Jahr eingereicht) Ja Nein 


(Number) (Country) 
(Nummer) (Land) 


□ □ 

(Day Month Year Filed) Yes No 
(Tag Monat Jahr eingereicht) Ja Nein 


Ich beanspruche hiermit gemass Absatz 35 der Zivil- 
prozessordnung der Vereinigten Staaten, Paragraph 
120, den Vorzug aller unten aufgefuhrten Anmel- 
dungen und falls der Gegenstand aus jedem Anspruch 
dieser Anmeldung nicht in einer fruheren 
amerikanischen Patentanmeidung laut dem ersten 
Paragraphen des Absatzes 35 der Zivilprozefcordnung 
der Vereinigten Staaten, Paragraph 122 offenbart ist, 
erkenne ich gemass Absatz 37, Bundesgesetzbuch, 
Paragraph 1.56(a) meine Pflicht zur Offenbarung von 
Informationen an, die zwischen dem Anmeldedatum 
der fruheren Anmeldung und dem nationalen Oder PCT 
internationalen Anmeldedatum dieser Anmeldung 
bekannt geworden sind. 


I hereby claim the benefit under Title 35. United States 
Code. §120 of any United States application (s) listed 
below and, insofar as the subject matter of each of the 
claims of this application is not disclosed in the prior 
United States application in the manner provided by 
the first paragraph of Title 35, United States Code, 
§122, I acknowledge the duty to disclose material 
information as defined in Title 37, Code of Federal 
Regulations, §1. 56(a) which occured between the filing 
date of the prior application and the national or PCT 
international filing date of this application. 


PCT/DE99/03262 


11.10.1999 




(Application Serial No.) 
(Anmeldeseriennummer) 


(Filing Date D, M, Y) 
(Anmeldedatum T, M, J) 


(Status) (Status) 
(patentiert, anhangig, (patented, pending, 
aufgegeben) abandoned) 


(Application Serial No.) 
(Anmeldeseriennummer) 


(Filing Date D,M,Y) 
(Anmeldedatum T, M; J) 


(Status) (Status) 
{patentiert, anhangig, (patented, pending, 
aufgeben) abandoned) 


Ich erklare hiermit, dass alle von mir in der vorliegen- 
den Erklarung gemachten Angaben nach meinem 
besten Wissen und Gewissen der vollen Wahrheit 
entsprechen, und dass ich diese eidesstattliche Erkla- 
rung in Kenntnis dessen abgebe, dass wissentlich und 
vorsatzlich falsche Angaben gemass Paragraph 1001, 
Absatz 18 der Zivilprozessordnung der Vereinigten 
Staaten von Amerika mit Geldstrafe belegt und/oder 
Gefangnis bestraft werden koennen, und dass derartig 
wissentlich und vorsatzlich falsche Angaben die Gul- 
tigkeit der vorliegenden Patentanmeidung oder eines 
darauf erteilten Patentes gefahrden konnen. 


I hereby declare that all statements made herein of my 
own knowledge are true and that all statements made 
on information and belief are believed to be true, and 
further that these statements were made with the 
knowledge that willful false statements and the like so 
made are punishable by fine or imprisonment, or both, 
under Section 1001 of Title 18 of the United States 
Code and that such willful false statements may 
jeopardize the validity of the application or any patent 
issued thereon. 




Page 2 




Form PTO-FB-240 (8-83) 


Patent and Trademark Office-U.S. DEPARTMENT OF COMMERCE 



German Language Declaration 



VERTRETUNGSVOLLMACHT: Als benannter Erfinder 
beauftrage ich hiermit den nachstehend benannten 
Patentanwalt (oder die nachstehend benannten 
Patentanwalte) und/oder Patent-Agenten mit der 
Verfolgung der vorliegenden Patentanmeldung sowie 
mit der Abwicklung aller damit verbundenen Geschafte 
vor dem Patent- und Warenzeichenamt: (Name und 
Registrationsnummer anfuhren) 



POWER OF ATTORNEY: As a named inventor, I 
hereby appoint the following attorney(s) and/or 
agent(s) to prosecute this application and transact all 
business in the Patent and Trademark Office 
connected therewith, (list name and registration 
number) 



Customer No. 26574 



And I hereby appoint 



Telefongesprache bitte richten an: 
(Name und Telefonnummer) 



Direct Telephone Calls to: (name and telephone 
number) 



Ext. 



Postanschrift: 



Send Correspondence to: 

Schiff, Hardin & Waite 
6600 Sears Tower 60606-6473 Chicago, Illinois 
Telephone: +1 312 258 5780 and F acsim ile +1 312 258 5921 




Voller Name des einzigen oder ursp rung lichen Erfinders: 


Full name of sole or first inventor: 




-MARTIN EUCHNER 


MARTIN EUCHNER 




Unterschrift dear ErfindMS / Datum 


Inventor's signature 


Date 


Wohnsitz 

MUENCHEN. DEUTSCHLAND l)B^\K 


Residence 

MUENCHEN, GERMANY 


Staatsangehorigkeit 


Citizenship 




DE 


DE 




Postanschrift 


Post Office Addess 




LORENZSTR. 2 


LORENZSTR. 2 




81737 MUENCHEN 


81737 MUENCHEN 


Voller Name des zweiten Miterfinders (falls zutreffend): 


Full name of second joint inventor, if any: 


Unterschrift des Erfinders Datum 


Second Inventor's signature 


Date 


Wohnsitz 
j 


Residence 
j 


Staatsangehorigkeit 


Citizenship 


Postanschrift 


Post Office Address 







{Bitte entsprechende Informationen und Unterschriften im (Supply similar information and signature for third and 
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